diff --git a/net/relayd/Makefile b/net/relayd/Makefile
index decfb1e6970e..e9cd92faecd0 100644
--- a/net/relayd/Makefile
+++ b/net/relayd/Makefile
@@ -1,52 +1,52 @@
 PORTNAME=	relayd
 PORTVERSION=	5.5.20140810
 PORTREVISION=	8
 CATEGORIES=	net
 
 MAINTAINER=	koue@chaosophia.net
 COMMENT=	OpenBSD relay daemon
 
 LICENSE=	ISCL
 
-GH_ACCOUNT=	mmatuska
-
 USES=		ssl uidfix
 USE_GITHUB=	yes
+GH_ACCOUNT=	mmatuska
+
 USE_RC_SUBR=	relayd
-WRKSRC_SUBDIR=	src/usr.sbin
+MAKE_ARGS+=	BINDIR=${PREFIX}/sbin \
+		MANDIR=${PREFIX}/man/man
 
 CFLAGS+=	-Wall
 
-MAKE_ARGS+=	BINDIR=${PREFIX}/sbin \
-		MANDIR=${PREFIX}/man/man
+WRKSRC_SUBDIR=	src/usr.sbin
 
 USERS=		_relayd
 GROUPS=		_relayd
 
 post-install:
-	@${INSTALL_DATA} ${WRKSRC}/../etc/relayd.conf \
+	${INSTALL_DATA} ${WRKSRC}/../etc/relayd.conf \
 		${STAGEDIR}${PREFIX}/etc/relayd.conf.sample
 
 .include <bsd.port.pre.mk>
 
 .if ! ${SSL_DEFAULT:Mlibressl*}
 . ifnmake describe
 STAGEDIR_libressl!=	${MAKE} -V STAGEDIR -C ${PORTSDIR}/security/libressl
 . endif
 BUILD_DEPENDS+=	${NONEXISTENT}:security/libressl:stage
 .endif # SSL_DEFAULT
 
 CFLAGS+=	-I${STAGEDIR_libressl}${LOCALBASE}/include
 
 post-configure:
 	${REINPLACE_CMD} -e 's|%%PREFIX%%|${PREFIX}|g' \
 		${WRKSRC}/relayd/relay.c \
 		${WRKSRC}/relayd/relayd.h \
 		${WRKSRC}/relayd/relayd.conf.5 \
 		${WRKSRC}/relayd/relayd.8
 	${REINPLACE_CMD} 's|-lssl|${STAGEDIR_libressl}${LOCALBASE}/lib/libssl.a|g' \
 		 ${WRKSRC}/relayd/Makefile
 	${REINPLACE_CMD} 's|-lcrypto|${STAGEDIR_libressl}${LOCALBASE}/lib/libcrypto.a|g' \
 		${WRKSRC}/relayd/Makefile
 
 .include <bsd.port.post.mk>
diff --git a/net/relayd/files/patch-relayd_Makefile b/net/relayd/files/patch-relayd_Makefile
new file mode 100644
index 000000000000..08b89f0f61c9
--- /dev/null
+++ b/net/relayd/files/patch-relayd_Makefile
@@ -0,0 +1,12 @@
+--- relayd/Makefile.orig	2014-08-10 20:08:47 UTC
++++ relayd/Makefile
+@@ -28,8 +28,7 @@ SRCS+=	parse.y \
+ 	relay_udp.c \
+ 	relayd.c \
+ 	shuffle.c \
+-	ssl.c \
+-	ssl_privsep.c
++	ssl.c
+ 
+ .PATH:	${.CURDIR}/../../../libevent
+ SRCS+=	buffer.c \
diff --git a/net/relayd/files/patch-relayd_relay.c b/net/relayd/files/patch-relayd_relay.c
index 42c6745bf485..cb0c2378a152 100644
--- a/net/relayd/files/patch-relayd_relay.c
+++ b/net/relayd/files/patch-relayd_relay.c
@@ -1,31 +1,49 @@
 --- relayd/relay.c.orig	2014-08-10 20:08:47 UTC
 +++ relayd/relay.c
+@@ -2097,7 +2097,7 @@ relay_ssl_ctx_create(struct relay *rlay)
+ 	/* Verify the server certificate if we have a CA chain */
+ 	if ((rlay->rl_conf.flags & F_SSLCLIENT) &&
+ 	    (rlay->rl_ssl_ca != NULL)) {
+-		if (!ssl_ctx_load_verify_memory(ctx,
++		if (!SSL_CTX_load_verify_mem(ctx,
+ 		    rlay->rl_ssl_ca, rlay->rl_conf.ssl_ca_len))
+ 			goto err;
+ 		SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
+@@ -2107,7 +2107,7 @@ relay_ssl_ctx_create(struct relay *rlay)
+ 		return (ctx);
+ 
+ 	log_debug("%s: loading certificate", __func__);
+-	if (!ssl_ctx_use_certificate_chain(ctx,
++	if (!SSL_CTX_use_certificate_chain_mem(ctx,
+ 	    rlay->rl_ssl_cert, rlay->rl_conf.ssl_cert_len))
+ 		goto err;
+ 
 @@ -2716,12 +2716,12 @@ relay_load_certfiles(struct relay *rlay)
  		return (-1);
  
  	if (snprintf(certfile, sizeof(certfile),
 -	    "/usr/local/etc/ssl/%s:%u.crt", hbuf, useport) == -1)
 +	    "%%PREFIX%%/etc/ssl/%s:%u.crt", hbuf, useport) == -1)
  		return (-1);
  	if ((rlay->rl_ssl_cert = relay_load_file(certfile,
  	    &rlay->rl_conf.ssl_cert_len)) == NULL) {
  		if (snprintf(certfile, sizeof(certfile),
 -		    "/usr/local/etc/ssl/%s.crt", hbuf) == -1)
 +		    "%%PREFIX%%/etc/ssl/%s.crt", hbuf) == -1)
  			return (-1);
  		if ((rlay->rl_ssl_cert = relay_load_file(certfile,
  		    &rlay->rl_conf.ssl_cert_len)) == NULL)
 @@ -2732,11 +2732,11 @@ relay_load_certfiles(struct relay *rlay)
  
  	if (useport) {
  		if (snprintf(certfile, sizeof(certfile),
 -		    "/usr/local/etc/ssl/private/%s:%u.key", hbuf, useport) == -1)
 +		    "%%PREFIX%%/etc/ssl/private/%s:%u.key", hbuf, useport) == -1)
  			return -1;
  	} else {
  		if (snprintf(certfile, sizeof(certfile),
 -		    "/usr/local/etc/ssl/private/%s.key", hbuf) == -1)
 +		    "%%PREFIX%%/etc/ssl/private/%s.key", hbuf) == -1)
  			return -1;
  	}
  	if ((rlay->rl_ssl_key = ssl_load_key(env, certfile,
diff --git a/net/relayd/files/patch-relayd_relayd.h b/net/relayd/files/patch-relayd_relayd.h
index a3b511623af1..cbde779fb369 100644
--- a/net/relayd/files/patch-relayd_relayd.h
+++ b/net/relayd/files/patch-relayd_relayd.h
@@ -1,51 +1,62 @@
 --- relayd/relayd.h.orig	2014-08-10 20:08:47 UTC
 +++ relayd/relayd.h
 @@ -21,6 +21,12 @@
  #ifndef _RELAYD_H
  #define _RELAYD_H
  
 +#ifdef IN_MAIN
 +#define EXTERN
 +#else
 +#define EXTERN extern
 +#endif
 +
  #include <sys/tree.h>
  
  #include <sys/param.h>		/* MAXHOSTNAMELEN */
 @@ -34,7 +40,7 @@
  #include <imsg.h>
  
  #ifdef __FreeBSD__
 -#define	CONF_FILE		"/usr/local/etc/relayd.conf"
 +#define	CONF_FILE		"%%PREFIX%%/etc/relayd.conf"
  #else
  #define CONF_FILE		"/etc/relayd.conf"
  #endif
 @@ -867,11 +873,13 @@ struct control_sock {
  };
  TAILQ_HEAD(control_socks, control_sock);
  
 -struct {
 +struct control_state {
  	struct event	 ev;
  	int		 fd;
 -} control_state;
 +};
  
 +EXTERN struct control_state control_state;
 +
  enum blockmodes {
  	BM_NORMAL,
  	BM_NONBLOCK
 @@ -978,7 +986,9 @@ enum privsep_procid {
  	PROC_PFE,
  	PROC_CA,
  	PROC_MAX
 -} privsep_process;
 +};
 +
 +EXTERN enum privsep_procid privsep_process;
  
  /* Attach the control socket to the following process */
  #define PROC_CONTROL	PROC_PFE
+@@ -1242,10 +1252,6 @@ int	 ssl_load_pkey(const void *, size_t, char *, off_t
+ 	    X509 **, EVP_PKEY **);
+ int	 ssl_ctx_fake_private_key(SSL_CTX *, const void *, size_t,
+ 	    char *, off_t, X509 **, EVP_PKEY **);
+-
+-/* ssl_privsep.c */
+-int	 ssl_ctx_use_certificate_chain(SSL_CTX *, char *, off_t);
+-int	 ssl_ctx_load_verify_memory(SSL_CTX *, char *, off_t);
+ 
+ /* ca.c */
+ pid_t	 ca(struct privsep *, struct privsep_proc *);